Bug#481132: libgnutls26: flags key usage error where OpenSSL does not

Tue, 13 May 2008 16:14:25 -0700 

Package: libgnutls26
Version: 2.2.3-1
Severity: important

I regenerated my SSL certificates today (due to the security advisory)
and mutt now refuses to connect to my SMTP server with STARTTLS.  This
is obviously unsuitable.

Using cyrus-clients-2.3's smtptest (which uses OpenSSL) does not object
to the certificate.  You can find the old certificate, which worked
fine, at
http://crustytoothpaste.ath.cx/cgi-bin/pyca/view-cert.py/ServerCerts/server?18
.  I generated them exactly the same way, and they appear to have
exactly the same extensions.  The MTA is sendmail, which uses OpenSSL.

Feel free to test against my machine if you want.

Transcript of session:

lakeview ok % gnutls-cli -p 587 -s crustytoothpaste.ath.cx
Resolving 'crustytoothpaste.ath.cx'...
Connecting to '172.16.0.1:587'...

- Simple Client Mode:

220 crustytoothpaste.ath.cx ESMTP spoken here
EHLO lakeview.crustytoothpaste.ath.cx
250-crustytoothpaste.ath.cx Hello [172.16.3.249], pleased to meet you
250-ENHANCEDSTATUSCODES
250-PIPELINING
250-8BITMIME
250-SIZE 15000000
250-DSN
250-ETRN
250-AUTH GSSAPI DIGEST-MD5 CRAM-MD5
250-STARTTLS
250-DELIVERBY
250 HELP
STARTTLS
220 2.0.0 Ready to start TLS
*** Starting TLS handshake
*** Fatal error: Key usage violation in certificate has been detected.
*** Handshake has failed


-- System Information:
Debian Release: lenny/sid
   APT prefers unstable
   APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.25-1-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL 
set to en_US.UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libgnutls26 depends on:
ii  libc6                  2.7-11            GNU C Library: Shared libraries
ii  libgcrypt11            1.4.1-1           LGPL Crypto library - runtime libr
ii  libgpg-error0          1.4-2             library for common error values an
ii  libopencdk10           0.6.6-1           Open Crypto Development Kit (OpenC
ii  libtasn1-3             1.4-1             Manage ASN.1 structures (runtime)
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libgnutls26 recommends no packages.

-- no debconf information

--
brian m. carlson / brian with sandals: Houston, Texas, US
+1 713 440 7475 | http://crustytoothpaste.ath.cx/~bmc | My opinion only
troff on top of XML: http://crustytoothpaste.ath.cx/~bmc/code/thwack
OpenPGP: RSA v4 4096b 88AC E9B2 9196 305B A994 7552 F1BA 225C 0223 B187

Attachment: signature.asc
Description: Digital signature

Reply via email to